Earlier this month Kaspersky was first to identify a new and improved variant of the blackmailing Gpcode trojan.
The virus works by infiltrating a user’s computer via unpatched browsers. Once active it encodes most of the data on the computer, including .doc, .txt, .pdf, .xls, .jpg and .png files, with a 1024 bit key and then demands money from the user to obtain the decryption key.
The malware is a revision of a previous virus, thought to be from the same author, which appeared two years ago but only used a 660 bit key.
Although Kaspersky and other security vendors have been successful in cracking the 660 bit key, efforts to decode the 1024 bit key have proven unsuccessful.
And while Kaspersky is still yet to crack the 1024 bit encryption, it has identified a method to retrieve users’ encrypted files.
The new method makes use of the fact that before encrypting a file, the Gpcode ransomware creates a new file ‘next to’ the file it encrypts. Once encryption of a file is complete, the virus deletes the original file.
Kaspersky has pinpointed a method based on data recovery techniques to retrieve the original file.
To do this, Kaspersky Lab analysts have leveraged the free PhotoRec utility while adding the ability to restore exact file names and pathways.
The downloadable executable "restores original filenames and the full paths of the files recovered," said Kaspersky.
While the new utility is free, Kaspersky is asking victims to consider donating to the PhotoRec creators, who include Christophe Grenier.
Kaspersky pinpoints workaround for ransomware virus
By Mitchell Bingemann on Jun 17, 2008 2:08PM
While Kaspersky Lab is yet to crack the 1024-bit encryption key used to blackmail unwitting victims of the Gpcode virus, the security research firm has created a free utility to restore files that may have been deleted by the ransomware variant.
Got a news tip for our journalists? Share it with us anonymously here.